Share this story

In this opinion piece, a cybersecurity researcher argues that loopholes in a new data retention bill push those wanting to use the 'Net anonymously into cafes, libraries, and fast food restaurants. The following op-ed does not necessarily represent the opinions of Ars Technica.

On Tuesday, the Republican-controlled House Judiciary Committee will hold a hearing in support of mandatory data retention legislation. The bill that they have proposed requires that Internet Service Providers, such as Comcast and Time Warner, save records of the IP addresses they assign to their customers for a period of 18 months.

As a thought experiment, let us give the bill's authors the benefit of the doubt. Let us assume, for a moment, that this additional data is not sought as part of the war on filesharing, but is in fact necessary to catch those who commit one of the most horrible, indefensible crimes. With this in mind, let's ask the question: will this bill be effective at catching sexual predators?

The wireless loophole

The bill includes a curious exception to the retention requirements: it doesn't apply to wireless data providers, such as AT&T and Verizon, or operators of public WiFi networks, such as Starbucks and McDonalds.

When questioned about this, a Republican committee staffer told CNET in May that the wireless loophole was added because wireless networks are designed in such a way that IP addresses are assigned to multiple users or accounts and they are "not technologically capable of retaining the type of data that law enforcement needs because that's not how their system works."

This explanation is completely bogus. Wireless providers, like wireline broadband providers, are quite capable of retaining logs of the IP addresses they temporarily issue to their customers. Many wireless providers, such as Sprint and Verizon, already retain IP logs for at least a year.

The true explanation for the loophole is, I believe, that the wireless carriers have powerful and remarkably effective lobbyists.

McDonalds: last refuge for the anonymous

If this legislation passes with the wireless loophole intact, residential broadband providers will be forced to retain identifying records that can be used to link users' online activities to their authenticated identities. Mobile phone carriers will continue to retain data voluntarily, and public WiFi networks will remain one of the last places where people, whether angels or devils, can browse the Internet anonymously.

If the House Judiciary Committee is truly concerned about protecting children, why is it proposing legislation that will encourage sexual predators to visit McDonalds restaurants in order to share their illicit contraband online? These are, after all, restaurants packed with innocent children, who have convinced their parents to take them there in search of a Happy Meal.

Of course, McDonalds aren't the only places with free, public, anonymous WiFi access. There are also public libraries, schools, and parks.

Christopher Soghoian is a Graduate Fellow at the Center for Applied Cybersecurity Research at Indiana University.

If the House Judiciary Committee is truly concerned about protecting children, why is it proposing legislation that will encourage sexual predators to visit McDonalds restaurants in order to share their illicit contraband online? These are, after all, restaurants packed with innocent children, who have convinced their parents to take them there in search of a Happy Meal.

Have you thought your argument through? It would be fairly difficult to get away with viewing porn of ANY sort in such a place without someone noticing and reporting you. If it were, in fact, the only place that child porn could be viewed, the problem would be cleaned up in a hurry.

If the House Judiciary Committee is truly concerned about protecting children, why is it proposing legislation that will encourage sexual predators to visit McDonalds restaurants in order to share their illicit contraband online? These are, after all, restaurants packed with innocent children, who have convinced their parents to take them there in search of a Happy Meal.

Have you thought your argument through? It would be fairly difficult to get away with viewing porn of ANY sort in such a place without someone noticing and reporting you. If it were, in fact, the only place that child porn could be viewed, the problem would be cleaned up in a hurry.

and trading said files at McD's doesn't require viewing them there. It's quite easy to upload or download something while there and view it later. With that said I do think it is silly to exempt wireless providers and open wireless networks especially since they are two completely different things. A wireless network provider like sprint or at&t are really no different than Comcast or AT&T providing home internet service. They can, just as easily, log the ips they hand out. An open wireless, like at a McDonalds or library is a completely different story and collecting logs would be technically challenging and virtually impossible to verify that the information is accurate.

This bill is going through in a vein attempt to quash the now inevitable upraising that any idiot (myself included) can see is brewing. And the fact that they left the cellular loopholes won't be the reason this won't stop it. Politicians are going to lose their "jobs" and cushy benefits.

If the House Judiciary Committee is truly concerned about protecting children, why is it proposing legislation that will encourage sexual predators to visit McDonalds restaurants in order to share their illicit contraband online? These are, after all, restaurants packed with innocent children, who have convinced their parents to take them there in search of a Happy Meal.

Have you thought your argument through? It would be fairly difficult to get away with viewing porn of ANY sort in such a place without someone noticing and reporting you. If it were, in fact, the only place that child porn could be viewed, the problem would be cleaned up in a hurry.

I automatically assume anyone I see using public wifi is a pedo-communist who hates capitalism and freedom as much as they love touching kids. Why don't they just pay for internet so the government/ISPs/Big Content can keep an eye on them?

If the House Judiciary Committee is truly concerned about protecting children, why is it proposing legislation that will encourage sexual predators to visit McDonalds restaurants in order to share their illicit contraband online? These are, after all, restaurants packed with innocent children, who have convinced their parents to take them there in search of a Happy Meal.

Have you thought your argument through? It would be fairly difficult to get away with viewing porn of ANY sort in such a place without someone noticing and reporting you. If it were, in fact, the only place that child porn could be viewed, the problem would be cleaned up in a hurry.

This is a wonderful example of a knee-jerk reaction full of very poor reasoning. I can only assume that you believe wifi is unavailable to anyone not using a 17" laptop set up in the middle of the restaurant.

If the House Judiciary Committee is truly concerned about protecting children, why is it proposing legislation that will encourage sexual predators to visit McDonalds restaurants in order to share their illicit contraband online? These are, after all, restaurants packed with innocent children, who have convinced their parents to take them there in search of a Happy Meal.

Have you thought your argument through? It would be fairly difficult to get away with viewing porn of ANY sort in such a place without someone noticing and reporting you. If it were, in fact, the only place that child porn could be viewed, the problem would be cleaned up in a hurry.

If the House Judiciary Committee is truly concerned about protecting children, why is it proposing legislation that will encourage sexual predators to visit McDonalds restaurants in order to share their illicit contraband online? These are, after all, restaurants packed with innocent children, who have convinced their parents to take them there in search of a Happy Meal.

Have you thought your argument through? It would be fairly difficult to get away with viewing porn of ANY sort in such a place without someone noticing and reporting you. If it were, in fact, the only place that child porn could be viewed, the problem would be cleaned up in a hurry.

You can actually download porn in one place, and watch it in another.

Not only that, also using obfuscated filenames ("pope.pius.4.jpg" instead of "4yo.mary.jane.jpg") OR winrar/winzip/7zip-archives (or even password protected?) OR file-dump sites OR using relays/VPN/shells even OR all of the above...possibilities are quite many...

If the House Judiciary Committee is truly concerned about protecting children, why is it proposing legislation that will encourage sexual predators to visit McDonalds restaurants in order to share their illicit contraband online? These are, after all, restaurants packed with innocent children, who have convinced their parents to take them there in search of a Happy Meal.

Have you thought your argument through? It would be fairly difficult to get away with viewing porn of ANY sort in such a place without someone noticing and reporting you. If it were, in fact, the only place that child porn could be viewed, the problem would be cleaned up in a hurry.

They don't have to view the files at the open WiFi hotspot just send the files back and forth then view the files once they get home.

This explanation is completely bogus. Wireless providers, like wireline broadband providers, are quite capable of retaining logs of the IP addresses they temporarily issue to their customers

How did you get that from "not technologically capable of retaining the type of data that law enforcement needs because that's not how their system works?"I understand it as meaning that law enforcement cannot identify the actual Internet user from such public wireless networks. It does not mean wireless providers can't log data, just that this type of anonymous data is useless to law enforcement.

I agree with the rest of the article, though. Even without the wireless loophole, I'm pretty sure child pornographers are learning to stay anonymous even on residential Internet, so it's just another half-baked piece of legislation that just makes the Internet more complex and costly. I oppose CP, but data retention is not storing CP-specific logs, but all our activity, this will probably result in more people with no illicit Internet usage to move to proxies and TOR networks just because they are pissed off at the lack of privacy. What happened to privacy retention?

Honestly, I think this OpEd is a weak piece. Yeah there's a loophole. But it's just silly scaremongering saying it will force predators to go into public places where they'll probably be more likely to encounter young, tender innocents. It's sort of funny in an overly long set up for a pun kind of way. The entire premise relies on ignoring every other available option such as wardriving, VPNs, 7 proxies and the like. And even if the only option to do naughty things is by using public wi-fi, so what? So there's a loophole, is anyone surprised? An antenna will get you a connection without even needing to be on the premises. And free wi-fi is just as common at public locations that don't have lots of children like coffee shops, restaurants and hotels. This article is neatly summed up in three parts: background information, point out loophole and silly situation. There's not much meat.

And how exactly does keeping a log of IP address assignments protect children exactly? It seems to me that this bill, if it were actually intended to do what it claims, is set up to catch the bad guy after the fact, but does absolutely nothing to actually protect children.

Its like trying to protect a self-serve all you-can-eat buffet from theft and misuse by placing the security guard at the exit, but only the main exit, leaving several smaller side exits uncovered. Yeah sure, you might catch a few freeloading thieves, but only the dumb ones, all the smart ones, after getting their fill of all the free food they can eat, will use the side exits, and what does it really matter: The damage is already done. You might prevent the thief from ripping off other buffets in the future, but that cant bring back that foods innocence, or stop it from having nightmares.

What would be a truly useful bill is one that forced ISP's to create a political bullshit filter with automatic translator, so the next time we read a headline like "Protecting Children from Internet Pornographers Act of 2011" It will be immediately and properly translated to its correct title: Yet another privacy eroding, Government snooping bill wrapped in a Save The Children wrapper - ACT of 2011

If the House Judiciary Committee is truly concerned about protecting children, why is it proposing legislation that will encourage sexual predators to visit McDonalds restaurants in order to share their illicit contraband online? These are, after all, restaurants packed with innocent children, who have convinced their parents to take them there in search of a Happy Meal.

Have you thought your argument through? It would be fairly difficult to get away with viewing porn of ANY sort in such a place without someone noticing and reporting you. If it were, in fact, the only place that child porn could be viewed, the problem would be cleaned up in a hurry.

The only one with a shortsighted view is you. The other comments here have already taken care of that.

------

Just another lurid day in Congress. The Thought Control Police is alive and well.

I don't know what disturbs me more:* the fact that I'm having difficulty figuring out whether this is a serious opinion piece or a cleverly done piece of satire* or the socio-political trends underlying the fact that I'm having difficulty figuring out whether this is a serious opinion piece or a cleverly done piece of satire

"...the wireless loophole was added because wireless networks are designed in such a way that IP addresses are assigned to multiple users or accounts and they are 'not technologically capable of retaining the type of data that law enforcement needs because that's not how their system works.'"

Hadn't heard about this bill before. Curious how it'll shake out given (1) wireline ISPs are looking at Carrier-Grade NAT to extend the life of IPv4, and that would seem to fall under this logic for an exception; and (2) the district court judge who recently ruled an IP address != a person, showing there's at least someone in the judicial system with some common sense.

I don't know what disturbs me more:* the fact that I'm having difficulty figuring out whether this is a serious opinion piece or a cleverly done piece of satire* or the socio-political trends underlying the fact that I'm having difficulty figuring out whether this is a serious opinion piece or a cleverly done piece of satire

I was just thinking that this piece does a good job of using the same scare tactics implied that bullshit name to draw light on how bullshit it really is. Bravos.

I don't know what disturbs me more:* the fact that I'm having difficulty figuring out whether this is a serious opinion piece or a cleverly done piece of satire* or the socio-political trends underlying the fact that I'm having difficulty figuring out whether this is a serious opinion piece or a cleverly done piece of satire

Honestly, I think this OpEd is a weak piece. Yeah there's a loophole. But it's just silly scaremongering saying it will force predators to go into public places where they'll probably be more likely to encounter young, tender innocents. It's sort of funny in an overly long set up for a pun kind of way. The entire premise relies on ignoring every other available option such as wardriving, VPNs, 7 proxies and the like. And even if the only option to do naughty things is by using public wi-fi, so what? So there's a loophole, is anyone surprised? An antenna will get you a connection without even needing to be on the premises. And free wi-fi is just as common at public locations that don't have lots of children like coffee shops, restaurants and hotels. This article is neatly summed up in three parts: background information, point out loophole and silly situation. There's not much meat.

As others have pointed out, it very well may be a bit satirical in its tactics, but it does a pretty good job of showing that even if we are thinking of the children and only the children, this bill will do more harm than good (although the effects on 'predators' will probably be fairly small either way)

Both are pretty bad scare pieces. IP addresses probably aren't as useful for 'catching predators' as they are for everything else the government does, but thinking that the world will be a more dangerous place because a predator might leave his house an additional time in the day is also just thinking blindly.

Look, all of this IP logging and security breaching is just handwaving around the true problem. The only real way to get rid of child pornography is at the source -- the children.

If there aren't any children, there won't be any child porn. Just take the little ones to the government recycling centers, where they'll be painlessly turned into nutrient paste for livestock. At one stroke, the problems of child porn, education policy and funding, teacher pay, and child care availability will be solved. Health care costs will plummet as entire wings of hospitals will be freed up.

Oh, and we'll also have to sterilize all adults, to prevent the sad scourge of children from just reappearing again. But hey, surely all the benefits to be gained will be well worth the cost of millions of packages of frozen peas.

So please call your Congressthing and voice your support for the Kill The Damn Children and Be Done With It Already bill.

Look, all of this IP logging and security breaching is just handwaving around the true problem. The only real way to get rid of child pornography is at the source -- the children.

If there aren't any children, there won't be any child porn. Just take the little ones to the government recycling centers, where they'll be painlessly turned into nutrient paste for livestock. At one stroke, the problems of child porn, education policy and funding, teacher pay, and child care availability will be solved. Health care costs will plummet as entire wings of hospitals will be freed up.

Oh, and we'll also have to sterilize all adults, to prevent the sad scourge of children from just reappearing again. But hey, surely all the benefits to be gained will be well worth the cost of millions of packages of frozen peas.

So please call your Congressthing and voice your support for the Kill The Damn Children and Be Done With It Already bill.

I tip my hat to you, sir! A more compelling and thought-provoking argument I have never had the pleasure of consuming.

Wandering Wastrel wrote:

Look, all of this IP logging and security breaching is just handwaving around the true problem. The only real way to get rid of child pornography is at the source -- the children.

If there aren't any children, there won't be any child porn. Just take the little ones to the government recycling centers, where they'll be painlessly turned into nutrient paste for livestock. At one stroke, the problems of child porn, education policy and funding, teacher pay, and child care availability will be solved. Health care costs will plummet as entire wings of hospitals will be freed up.

Oh, and we'll also have to sterilize all adults, to prevent the sad scourge of children from just reappearing again. But hey, surely all the benefits to be gained will be well worth the cost of millions of packages of frozen peas.

So please call your Congressthing and voice your support for the Kill The Damn Children and Be Done With It Already bill.

Look, all of this IP logging and security breaching is just handwaving around the true problem. The only real way to get rid of child pornography is at the source -- the children.

If there aren't any children, there won't be any child porn. Just take the little ones to the government recycling centers, where they'll be painlessly turned into nutrient paste for livestock. At one stroke, the problems of child porn, education policy and funding, teacher pay, and child care availability will be solved. Health care costs will plummet as entire wings of hospitals will be freed up.

Oh, and we'll also have to sterilize all adults, to prevent the sad scourge of children from just reappearing again. But hey, surely all the benefits to be gained will be well worth the cost of millions of packages of frozen peas.

So please call your Congressthing and voice your support for the Kill The Damn Children and Be Done With It Already bill.

The point this article is trying to make is moot because the IP addresses in question are recycled and in high traffic areas would be completely useless. Even in lower traffic areas, they would have to be used in tandem with security videos, timestamps, witnesses (good luck!) and/or receipts (if any available) in order to identify the perpetrator. Common sense says that a perp would feel safer in a crowd of people where his/her identity would be more obscured. This isn't about whether or not legislators care about children, but rather whether the data in question could actually be of any use to law enforcement.

We don't need those pesky "liberties" our past generation fought, killed, and died for. You know the ones who also took our wars over to other nations killed little kids, and raped women. All in the name of our liberties! I know we have some pinko commies in the closet, come on out. Let's have a parade, and let our government know, that we know, that they know, that we know, we don't care about what "America" really stands for. So line up, and let it be know how much we think of liberty! Every man has his price right?

I can't wait until some of these roving bands of internet hackers we've seen over the last couple of years start hacking into ISP retention data and broadbanding people's browsing history.

Perhaps, as a public service, ISPs could just go ahead and set up a poorly defended server -- perhaps they could let Sony administer it? -- containing retained access data from the IP addresses of the congresscritters working on this bill.